The present invention relates to enterprise network security and, more particularly, to a method of censoring access to an enterprise's internal network from employees' private devices.
Recently the Bring Your Own Device (BYOD) trend has been gaining momentum. Employees are bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company information technology resources such as email, file servers and databases as well as their own personal applications and data.
The security of company data assets is one of the major concerns in the BYOD scenario. These concerns include:    1. Authentication and authorization—how the company authenticates that the device is used by an authorized user and the user authenticates that s/he indeed is connected into the company network (as opposed to a malicious spoofer).    2. Encryption of traffic over the various networks (wireless and others) that connect the device to company network to prevent eavesdropping of the transmitted data.    3. Encryption of the data stored on the device in case the device is lost or stolen.    4. Preventing or reducing risk of malware application (“App”) and other unauthorized Apps running on the device    4. Preventing or reducing risk of malware application (“App”) and other unauthorized Apps running on the device
A common conventional security practice to address some of these security concerns includes one or more of the following measures:    1. Authentication, authorization and encryption of traffic using a VPN (Virtual Private Network) tunnel (IPSec (Internet Protocol Security) or SSL (Secure Sockets Layer))—usually a designated App is used to establish an authenticated VPN tunnel. This designated App then encrypts all IP packets that are destined to the company network according to the VPN tunnel parameters and decrypts packets that are received from the company network.    2. Malware risk reduction is done using Mobile Device Management (MDM) software that includes an agent that company management installs in the user's device. MDM software decides via a white list (or a black list) which applications the device can run, and also applies other security measures, such as requiring the user of the device to enter a PIN code in order to use the device, and remotely erasing all (factory reset) or some (e.g. all contents of an external storage card) of the data stored in the device.
While the first measure mentioned above (VPN tunnel) that secures access to company's network is usually perceived as a reasonable security step by employees—a step that takes place only when the employee wants to use the device to access to the company network, the second measure (MDM etc.) is more intrusive: it limits an employee's control over his/her own purchased devices (e.g. limiting which Apps the employee is allowed to install), changes his/her user experience (PIN code) and potentially erases his/her own private data. If as a result (to keep the employees happy) a company is implementing only the first measure without implementing the second measure, the company is left in a situation in which employees can access company network from their devices but the malware risk is not reduced—for example a malware application running on an employee's device can make use of the VPN tunnel of the first measure to access sensitive company resources or to inflict other damage.
It would be highly advantageous to have a method of configuring employees' mobile devices to enable the employees to use these devices for business purposes without compromising the security of the company's information technology resources.